What is spear phishing?

Unlike regular phishing, which aims to hook anyone willing to bite (think: financial appeals from a Nigerian Prince), spear phishing attacks target a specific individual or organization for a “long con.” TechTarget offers the following spear phishing attack definition:

“Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.”

Spear phishing attacks are significantly more successful than generic phishing emails. According to a report from FireEye, “spear phishing emails had an open rate of 70 percent … 50 percent of recipients who open spear phishing emails also click on enclosed links, which is 10 times the rate for mass mailings.”

So, why are targeted phishing attacks so successful?
Hackers spend a lot of time and effort planning their spear phishing attacks. They design their fake emails to look as legitimate and authentic as possible to trick the intended victims. This means using imagery/graphics, design, language, and even email addresses that can pass as real when minimally inspected. Spear phishing emails are personalized and use specific information to lure in victims. Sometimes, these messages are tailored to look like they are sent by a manager or high-level executive. They also can be customized to appear to come from a company-trusted vendor. They don’t resemble traditional mass phishing emails, so the messages are often missed by spam filters and other email protections.

Finally, rather than trying for a quick attack, spear phishers are patient with their targeted attacks. They often use multi-stage attacks that involve malware downloads and data exfiltration which can take weeks or even months.

Spear phishing attacks consist of three main steps:

  1. Infiltration — Directing users to click on a malicious link that downloads and installs malware or leads them to a fraudulent website. Once on the fraudulent website, requests for vital information are made and the phisher can use the collected information or access to log in to the victim’s account.
  2. Reconnaissance — The phisher monitors and reads emails to learn about the organization and identify additional targets and opportunities.
  3. Extract Value — Using the information and knowledge gained over time, or even using the compromised email account itself, the attacker launches spear phishing attacks.

As mentioned earlier, spear phishing attacks often elude spam filters and other email security solutions. As a result, the only defense against spear phishing is diligence. You must use caution when you receive an email, even if it’s from a supposedly trusted source, that requests you to click on a link or share sensitive information.

ITS will continue to send simulated phishing emails in order to help the campus community learn how to recognize phishing attacks. Training is assigned to those who prove to be susceptible to phishing attacks. If you believe you’ve been targeted by phishing, see Reporting a Phishing Message (How-to).

— Christopher Mielke, ITS